Fortunately, Active Directory (AD) has a feature for restoring accidentally deleted user accounts. The problem...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
in AD is not only bringing the lost account back to life, but also returning the account to its old group. The fix for restoring accounts is also tied with the fix for repairing and bringing back inadvertently deleted groups and objects. This is because accounts are often lost in bulk due to an erroneously deleted object holding multiple accounts. This tip examines how to use this Active Directory security feature.
First, as a preventative measure, Microsoft recommends taking steps to prevent administrators from being able to delete objects in bulk. They recommend using the ADSIEdit, LDP or DSACLS command-line tools to set the access control entry (ACE) to "deny" on the security descriptor of every object and its parent.
Barring that, Microsoft recommends three ways to restore deleted users. The first is to restore the accounts using the Ntdsutil command-line tool, which is only available on Microsoft Windows Server 2003 with Service Pack 1, and then adding them to their groups. The second, without the tool, is to use the most current system state backup of the global catalogue in the user's domain controller. This of course, has to be done before the current global catalogue has replicated and overwritten the backup.
The third method is to restore both the deleted user and his or her security groups twice. Microsoft says the process has to be repeated to repair group membership information, which may not be fully restored in one go around.
There are also other manual restoration methods in the Microsoft Knowledge Base at KB 840001. The article is an excellent reference with details and step-by-step instructions on how to restore Active Directory accounts.